A Wetpaint Site | TV Fandex 100

Sign in to Wetpaint

Sign in or

Location: TechWiseTV

Discussion: CUCM - ASA Secure Voice

Category: Discussion Forum / General Discussion

Report thread
Watch thread
Share this

Showing 5 posts

de_great	CUCM - ASA Secure Voice Jul 2 2008, 5:57 AM EDT \| Post edited: Jul 2 2008, 5:57 AM EDT I have been struggling here lately on the topic of how to properly Secure my Voice Network. I heard the PodCast on the ASA implementation and have read that is the way to go. However the how is always left out.... I think a segment on this would be great. Can you explain in more detail how the ASA 5500 is implemented in the CUCM World. Voice Security is starting to be a reoccurring theme, but I am not finding much information pertaining to the Cisco Recommended Procedures or How tos (if you will.) For Example:What type of ASA is required for what level? When I have a HQ of 2000 Phones and remote sites also with 1000....what should be used at the locations? Is there a Matrix of some sort? How is it implemented (obviously at the network level) but how is the CUCM connected..... via IPSEC with the ASA? Is there an SRND for a ASA Voice environment? Obviously due to the TLS Proxy the ASA is very attractive, but what are the ups and downs compared to GetVPN? For many people dealing with Firewalls and ASA's on a daily basis these questions might seem a little basic, but for people coming from the "Voice" Unified Communications Area there are a lot of things left unsaid. Unfortunately, when installing a CUCM Cluster and the Customer wants a Secure Voice Network.... they do not understand that this is more network security than voice, and it is up to us to magically come up with the answer. This topic of Voice Security is becoming the number 1 issue with large companies today and the only official statement that I find states that we should use the ASA's. Great.... but how? Thanks Post reply 4 out of 4 found this valuable. Do you find this valuable? Do you? Keyword tags: None
JimmyRay10acn	1. RE: CUCM - ASA Secure Voice Jul 2 2008, 10:11 AM EDT This is a great call for not only a segment, but really a complete show. Voice security is really getting hot right now. I hear about this all of the time. I have used the ASA for many security features and to get the best security package ensure that you are on version 7.2 or later. I use the 5500 for eavesdrop protection all the time. The config shell I use is: TechWiseTVASA(config)# regex phone1 "2625551212" TechWiseTVASA(config)# regex phone1 "2625552222" TechWiseTVASA(config)# class-map type inspect h323 match-all voice-traff TechWiseTVASA(config-pmap-c)# match called-party regex phone1 TechWiseTVASA(config-pmap-c)# match called-party regex phone2 TechWiseTVASA(config)# policy-map type inspect h323 h323-policy-map TechWiseTVASA(config-pmap)#parameters TechWiseTVASA(config-pmap-p)# class voice_traffic TechWiseTVASA(config-pmap-p)# rtp-conformance enforce-payloadtype TechWiseTVASA(config-pmap-c)#drop TechWiseTVASA(config)# service-policy h323-policy-map interface inside Right now, there is not a SRND on the design you are talking about. As a ready reference, I have used: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008081042c.shtml and http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/inspect.html and of course using v3pn site to site is an excellent solution as well. Jimmy Ray Post reply 3 out of 3 found this valuable. Do you find this valuable? Do you?
de_great	2. RE: CUCM - ASA Secure Voice Jul 3 2008, 11:18 AM EDT Thanks for the reply..... I wish someone at Cisco would right a Design guide for this theme. Before they get around to it.....it might be too late in the game. Post reply 2 out of 2 found this valuable. Do you find this valuable? Do you?
JimmyRay10acn	3. RE: CUCM - ASA Secure Voice Jul 3 2008, 12:21 PM EDT I have a few meetings with the voice folks next week. Let me see what the progress/intent is of doing a srnd on secure voice Post reply 1 out of 1 found this valuable. Do you find this valuable? Do you?
de_great	4. RE: CUCM Secure Oct 14 2008, 5:46 AM EDT Hi, is there any new information about a CUCM Secure Segment? I have another couple of points that could be added.... (It all seems like a Grey Topic right now, where no one really wants to create an official solution/SRND and ect) -The use of an External CA instead of the Internal CAPF. -How to migrate from the Internal CAPF to an External CA -What is Cisco's Recommended solution to CUCM-Gateway Security (IPSEC or ASA or ? ) -When will the user ID and Pin submition for Extension Mobility be secured (right now everything is broadcasted in Plain Text) or what the plans are. Post reply 2 out of 2 found this valuable. Do you find this valuable? Do you?

JavaScript must be enabled in order for you to contribute to this site.
To start contributing, enable JavaScript by changing your browser options, then try again.

Home